- GoDaddy found a malicious campaign infecting 20,000 WordPress sites
- It is called DollyWay, and it is super persistent
- DollyWay redirects visitors to fake gambling and crypto sites
A long-running, super persistent malicious campaign that infected more than 20,000 WordPress websites worldwide has been uncovered by experts.
Security researchers from GoDaddy dubbed it “DollyWay World Domination”, which had the goal of redirecting vicims to fake dating, gambling, crypto, and sweepstakes sites, although in the past the campaign was also used to spread ransomware and banking trojans.
DollyWay has been active since at least 2016, GoDaddy says, adding today it generates 10 million impressions every month, raking in solid earnings for the operators. Over the years, it also improved evasion, reinfection, and monetization strategies.
A single threat actor
DollyWay is currently in its third iteration, while the previous ones were more focused on malware distribution and phishing.
To compromise WordPress websites, DollyWay’s operators looked for n-day vulnerabilities in plugins and themes for the platform. They also employed a Traffic Direction System (TD) to filter and redirect users based on their location, device, and referrer. To make sure attackers get paid per redirection, they used VexTrio and LosPollos networks.
When it comes to obfuscation, DollyWay was doing a number of things: It redirected users only after they clicked on something, in order to evade passive security scans. It also wasn’t redirecting any logged-in WordPress users, bots, and direct visitors who were coming without referrers. It was also quite persistent, GoDaddy said, since reinfection would occur with every page load.
At first, GoDaddy’s researchers were under the impression that they were analyzing multiple groups and different campaigns.
“While previously thought to be separate campaigns, our research reveals these attacks share common infrastructure, code patterns, and monetization methods – all appearing to be connected to a single, sophisticated threat actor,” the researchers concluded. “The operation was named after the following tell-tale string, which is found in some variations of the malware: define(‘DOLLY_WAY’, ‘World Domination’).”
Via BleepingComputer
Leave a comment